: Demystifying Attacks | White Paper

CHECK POINT DEMYSTIFYING MOBILE SECURITY ATTACKS

Attacks on your mobile devices and traffic are quickly evolving. Mobile attackers are stealing (hey, it’s what they do) tried and true methods from the “traditional” (wired) world and applying them to the mobile one, as well as coming up with new, never before seen tactics that really take advantage of the new pathways mobile devices offer into an organization’s network. You need to prevent all the ways an attacker can exploit mobile devices to:

EAVESDROP COLLECT COMPROMISE SECURE Take over your ENTERPRISE DATA CONTAINERS device’s microphone Including emails, Extract application data and camera texts and call logs

The following is a quick look at some of the most common types of mobile attacks and what you need to arm yourself with to prevent them.

ANDROID MALWARE APPLICATIONS

WHAT IT DOES INFECTION VECTORS – HOW TO DETECT AND HOW IT WORKS HOW IT ‘GETS IN’ DAMAGE IT CAN CAUSE AND PREVENT IT

These are malicious The malicious applications Malware applications can act DETECT: You need a applications installed on a may be downloaded from as a remote access Trojan, with combination of AV, Network and device using the Android or a 3rd party a surveillance toolkit that can Event Anomaly Detection, and operating system (OS). The app store, an e-mail, or enable the attacker to steal Behavioral Application Analysis malware usually disguises an infected website or ad passwords, corporate data and (Sandboxing and advanced itself as an innocent app, such network. The malicious emails, as well as capture all code and traffic analysis) to be as a game, conference or applications may also be keyboard activity (keylogging) able to detect the wide variety PDF viewer, and then runs in uploaded by an attacker who and screen information (screen of malicious applications the background doing all its gains physical access to the scraping). They may also potentially in your environment. malicious activity. device. (Sometimes your kids/ activate the microphone to nephews/nieces/etc. install it!) listen in on conversations and PREVENT: You need On-Device meetings, act as a Trojan to Remediation that can enable steal contacts or text messages users to remove malware (SMS texts), or act as a mobile already on their device, as well botnet to send SMS messages as Network-Based Mitigation to to premium numbers. block any exfiltration activity.

©2015 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] 1 March 30, 2015 Check Point: Demystifying Mobile Security Attacks | White Paper

ANDROID ROOTKITS (NON-APPLICATION MALWARE)

WHAT IT DOES INFECTION VECTORS – HOW TO DETECT AND HOW IT WORKS HOW IT ‘GETS IN’ DAMAGE IT CAN CAUSE AND PREVENT IT

Android Rootkits are Rootkits may be embedded in Rootkits can act as a DETECT: You need the ability malicious software designed apps downloaded from Google remote access Trojan, with to do Network and Event to enable privileged (root) Play or a 3rd party app store, a surveillance toolkit that Anomaly Detection, as well access to a device using an e-mail, an infected website can enable the attacker to as Behavioral Application vulnerabilities in the Android or ad network. The Rootkits steal passwords, corporate Analysis to detect abnormal OS, without being detected. may also be pre-installed on data and emails, as well as activity on a device, Once deployed on the device the device or uploaded by an capture all keyboard activity including communications they look like an Android OS attacker who gains physical (keylogging) and screen from binaries that are not system file (they usually load access to the device. Once on information (screen scraping). applications, and correlate themselves into the system the device, the Rootkits use an They may also activate the that activity with events on the directory) and cannot be exploit to break the operating microphone to listen in on device to detect malware that removed without actually system application sandbox conversations and meetings, resides at the system-level. doing a factory reset to the and install themselves deep in or act as a botnet to steal device. This makes them the OS. contacts or text messages PREVENT: You need to be able invisible to AV-based solutions (SMS texts). to block the communication because privileged access is of non-application malware to required to scan the locations contain the threat. where the rootkit is installed.

EXPLOITS

WHAT IT DOES INFECTION VECTORS – HOW TO DETECT AND HOW IT WORKS HOW IT ‘GETS IN’ DAMAGE IT CAN CAUSE AND PREVENT IT

These span a large number Exploits may be disguised Once the exploit executes, DETECT: You need Behavioral of attacks that utilize in applications downloaded the attacker can snoop into Application Analysis and vulnerabilities in the from Google Play or a 3rd other applications storage, Sandbox analysis of payloads. operating system (OS) to party app store, an e-mail, memory and resources, thus The Sandbox needs to be able enable attackers to gain or an infected website or gaining access to encrypted to uniquely behave like the elevated privileges (root) and ad network. The Exploits enterprise content within attacked device to mitigate VM break the OS’ application may also be uploaded by an Mobile Device Management detection. Sandbox. attacker who gains physical (MDM) solutions, Containers access to the device. and Wrappers. Basically they PREVENT: You need On- have access to everything Device Remediation to enable stored on or flowing through users to remove malware the mobile device. already on a device and block any exfiltration activity. Can use Network-based Mitigation to block exploit traffic to contain attack.

Worldwide Headquarters | 5 Ha’Solelim Street, 67897, | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected] CONTACT US U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233 | www.checkpoint.com

©2015 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] 2 March 30, 2015 Check Point: Demystifying Mobile Security Attacks | White Paper

IOS MALWARE DELIVERED USING FAKE ENTERPRISE OR DEVELOPER CERTIFICATES

WHAT IT DOES INFECTION VECTORS – HOW TO DETECT AND HOW IT WORKS HOW IT ‘GETS IN’ DAMAGE IT CAN CAUSE AND PREVENT IT

iOS malware delivered using Apple grants two different This malware can be used to DETECT: You need Device Risk fake certificates is malicious 3rd party certificates to do almost anything. It can act Assessments that can detect software installed on a organizations that agree to as a remote access Trojan, iOS apps on the device that device using the Apple iOS adhere to Apple’s guidelines. with a surveillance toolkit are using stolen or fraudulent operating system (OS) that is that may enable the attacker Enterprise/Developer accompanied by certificates They are: to steal passwords, emails, certificates. validated by Apple that calendar records and geo- 1. Developer certificates, actually represent a trusted location, in real time. It can PREVENT: You need On- which allow developers to organization that has been even activate the microphone Device Remediation that can test their apps before they compromised. Ever heard to listen in on conversations block or remove fraudulent go public on the Apple app of Sutxnet, Flame and Bit9 and meetings. certificates to eliminate the store. attacks? – they used a method attack. similar to this. 2. Enterprise certificates, which provide organizations the opportunity to establish their own, in-house marketplace for dedicated apps.

Behind the scenes, Apple validates an app is signed by a trusted certificate before allowing it to be side-loaded (which means it’s not installed through the App Store) on the device.

If an attacker is able to obtain a certificate they can use it to validate their malware and install it on any iOS device without passing it through the vetting process in the App Store. A user can then be lured to download their seemingly harmless app. (Note, given the volume of apps, it is very difficult for Apple to monitor the use of certificates, as a result, attacks have started to emerge, such as FinFisher mRAT that use these certificates.)

Worldwide Headquarters | 5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected] CONTACT US U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233 | www.checkpoint.com

©2015 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] 3 March 30, 2015 Check Point: Demystifying Mobile Security Attacks | White Paper

IOS MALICIOUS PROFILES

WHAT IT DOES INFECTION VECTORS – HOW TO DETECT AND HOW IT WORKS HOW IT ‘GETS IN’ DAMAGE IT CAN CAUSE AND PREVENT IT

An attack that uses a A user may be tricked into A malicious profile DETECT: You need Device Risk configuration file for iOS downloading a malicious circumvents typical security Assessments that can detect that can re-define system profile and, by doing so, mechanisms, so it can be used rogue iOS profiles or profiles functionality parameters, unknowingly provide the rogue to do almost anything. It can that have been altered on the such as device, mobile carrier, configuration the ability to enable the attacker to steal device. Behavioral Application mobile device management re-route all traffic from the passwords, emails, all data Analysis can also be used to (MDM) and network settings. mobile device to an attacker- stored or passed through the identify profiles that exhibit A profile can circumvent controlled server, further phone, calendar records and abnormal or suspicious device and or application install rogue apps or even geo-location, in real-time. activity. security mechanisms, which is decrypt communications. A why it’s an attractive target for profile can also be loaded PREVENT: You need On- attackers. by an attacker, who gains Device Remediation that can physical access to the device. block or remove malicious profiles to eliminate the attack.

IOS SURVEILLANCE AND MOBILE REMOTE ACCESS TROJANS (MRATS)

WHAT IT DOES INFECTION VECTORS – HOW TO DETECT AND HOW IT WORKS HOW IT ‘GETS IN’ DAMAGE IT CAN CAUSE AND PREVENT IT

iOS mRATs are malicious These attacks typically take mRATs can act as a remote DETECT: You need to conduct software installed on a device advantage of a device that access Trojan, with a Device Risk Assessments using the Apple iOS operating has been jailbroken, which surveillance toolkit that can to detect those devices that system (OS) that gives an means all the built-in iOS enable the attacker to steal have been jailbroken and then attacker the ability to remotely security mechanisms have passwords, corporate data and investigate the actual behavior gain access to everything been removed. It’s not unusual emails, as well as capture all of the communication on the stored and flowing through the for iOS users to jailbreak their keyboard activity (keylogging) device. device. own device, so they can install and screen information any iOS application they want, (screen scraping). They may PREVENT: You need both not just the ones that are from also activate the microphone On-Device Remediation and Apple’s proprietary store. to listen in on conversations Network-based Mitigation Attackers can also jailbreak and meetings, or act as a to actively block traffic and an iOS device themselves, by botnet to steal contacts or text contain the mRAT. physically obtaining access messages (SMS texts). to the device or propagating the jailbreak code from a compromised computer through a USB cable. Once jailbroken, attackers can install the surveillance or spyphone application of their choice, or disguise it in an application from a third party app store for an unwitting user to download.

Worldwide Headquarters | 5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected] CONTACT US U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233 | www.checkpoint.com

©2015 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] 4 March 30, 2015 Check Point: Demystifying Mobile Security Attacks | White Paper

MAN-IN-THE-MIDDLE (MITM)

WHAT IT DOES INFECTION VECTORS – HOW TO DETECT AND HOW IT WORKS HOW IT ‘GETS IN’ DAMAGE IT CAN CAUSE AND PREVENT IT

MitM attacks can eavesdrop, WiFi MitM attacks occur when MitM attacks can be used DETECT: You need Behavioral intercept and alter traffic a mobile device connects to to eavesdrop and even Application Analysis that can between two computing a rogue WiFi hotspot. The alter the encrypted (SSL) detect rogue WiFi hotspots devices. The user believes attacker may create a spoofed network’s communication and other risk factors. they are interacting with WiFi network (e.g. ‘Free- by using spoofed certificates a known, trusted entity ’) or simply connect or downgrading the PREVENT: You need On- (typically a web site). The to the same legitimate WiFi communication link, so it’s Device Remediation that normal alert and warning the victim is using; regardless un-encrypted and completely can dynamically trigger a signs on PCs and laptops are all communications end up open to the attacker. VPN to isolate the user’s much more subtle on mobile passing through the attacker- communication from the devices and their limited controlled network device. compromised network and screen size often hides URLs Network-based Mitigation from the user, making it to block traffic from a rogue harder to validate the URL hotspot. the browser is pointing to is actually the intended one.

Worldwide Headquarters | 5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected] CONTACT US U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233 | www.checkpoint.com

©2015 Check Point Software Technologies Ltd. All rights reserved. Classification: [Protected] 5 March 30, 2015